FBI's Carnivore: Under the Fourth Amendment and the USA Patriot
Total Page:16
File Type:pdf, Size:1020Kb
1 OKLA. J. L. & TECH. 2 (2003) (formerly 2003 OKJOLT Rev. 2) www.okjolt.org Abstract Scott Griner, a 2003 University of Oklahoma Law School graduate introduces us to the FBI=s email monitoring system, Carnivore. After a brief description of Carnivore and its use in criminal investigations, Mr. Griner analyzes Carnivore under the Fourth Amendment. Finally, Mr. Griner examines The USA PATRIOT Act=s impact on the FBI=s use of Carnivore and the future of electronic surveillance and searches. FBI’S CARNIVORE: UNDER THE FOURTH AMENDMENT AND THE USA PATRIOT ACT Scott Griner I. Introduction In the mid-1990=s, the Federal Bureau of Investigation (FBI) recognized the use of the internet and e-mail by the criminal element to defeat traditional methods of surveillance. In 1996, the FBI developed the Omnivore program but abandoned it due to technical difficulties. The FBI then created a number of programs to replace Omnivore. The current version of these programs, known as the ADragonWare Suite,@1 contains the ACarnivore@ and computer program. The FBI claims Carnivore is a tool that Asurgically@2 monitors e- mail between certain suspect parties while allowing e-mail of other parties to remain private. The first part of this paper will perform a Fourth Amendment analysis regarding the use of the Carnivore program. The second part will explore the effects of the USA PATRIOT Act on the 1 FBI=s Carnivore Hunts in a Pack, MSNBC, Oct. 17, 2000, available at http://zdnet.com.com/2102-11-524798.html (last visited Jan. 9, 2003). 2 Carnivore Diagnostic Tool, available at http://www.fbi.gov/hq/lab/carnivore/carnivore2.html (last visited Jan. 9, 2003). 1 1 OKLA. J. L. & TECH. 2 (2003) (formerly 2003 OKJOLT Rev. 2) www.okjolt.org use of Carnivore by the FBI. It should be noted that Carnivore is used for national security investigations but this paper will only cover use in criminal investigations. II. The Carnivore Diagnostic Tool (DCS-1000) The exact date of the development of Carnivore is unclear, but FBI began using Carnivore in 1999.3 Carnivore was unknown to the general public until The Wall Street Journal published an article in July of 2000 revealing its existence. Due to the questions regarding protection of civil liberties created by this revelation,4 the Justice Department decided to publish a brief description of the function and the safeguards involved in the Carnivore program as well as an Aindependent review@ of the software by the Illinois Institute of Technology and Research Institute. A. Carnivore=s Function Agents attach the Carnivore tool to an Internet Service Provider=s (ISP) server pursuant to a court order5 and the traffic routing through that server is copied. The copy is then sent to a predefined Afilter@ which Asniffs”6 the network packets comprising e-mail, instant messages and other types of communications.7 Carnivore allows only the traffic matching the court order to pass the filter. The traffic not allowed past the filter is Adropped out@ of the system. The communications 3 FBI=s Carnivore Hunts in a Pack, MSNBC, Oct. 17, 2000, available at http://zdnet.com.com/2102-11- 524798.html (last visited Jan. 9, 2003). 4 Letters from House Majority Leader Dick Armey to Attorney General Janet Reno, available at http://www.freedom.gov/library/technology/carnletter.asp and http://www.freedom.gov/library/technology/carnletter2.asp (last visited Jan. 9, 2003) 5 A court order must be obtained pursuant to Title III guidelines for interception of private communications. 6 Sniffing consists of searching each packet for predetermined information such as names, addresses, keywords, etc. 7 Unlike the AEchelon@ program run by the National Security Agency, the FBI claims Carnivore does not search through the contents of every message collecting the ones containing keywords, like Abomb@ or Amarijuana.@ Carnivore instead Asniffs@ packets looking for messages sent from a certain account, or to a particular user, which is determined by the court order. 2 1 OKLA. J. L. & TECH. 2 (2003) (formerly 2003 OKJOLT Rev. 2) www.okjolt.org matching the filter are then copied to a permanent storage media. Only personnel authorized by the FBI can access the storage media, preserving the chain of evidence. The Carnivore filter can be defined to allow a pen-register type of record, a content trap, as well as recording Ainstant message@ exchanges. The FBI claims8 this ability is superior to allowing the ISP=s to Aclone@9 the communications because all communications not fitting the filter disappear. The ISPs are also unable to reliably reproduce instant messages. If the ISP Acloned@ all communications the agents would be inspecting vast amounts of private communication needlessly, or missing messages in the instant message format. B. The Pen-Register and Carnivore 1. Legal Aspects of the Pen-Register Capability of Carnivore The first interception mode which Carnivore allows is referred to as the Apen- register.@ This is much like a pen-register on a telephone, which logs only the numbers dialed from the monitored phone line. The pen-register mode on the Carnivore system displays the Internet Protocol (IP) address numbers of the recipient and sender. An IP address is assigned to each user by the Internet provider to allow for identification and also functions as an address for e-mail and instant messaging purposes. 8 Internet and Data Interception Capabilities developed by the FBI: Hearings Before Subcomm. on the Constitution of the House Comm. on the Judiciary, 106th Cong. 4 (2000) (statement of Donald M. Kerr, Asst. Dir., FBI Lab. Div.). 9 ACloning@ by the ISP consists of the creation of a duplicate mailbox which receives a copy of all communications sent to the original. 3 1 OKLA. J. L. & TECH. 2 (2003) (formerly 2003 OKJOLT Rev. 2) www.okjolt.org The Assistant Director of the Laboratory Division of the FBI, Donald Kerr, argues the Supreme Court in Smith v. Maryland has upheld this type of interception.10 The Court held that there was no reasonable expectation of privacy in electronic impulses dialed and transmitted over a telephone line.11 Kerr also claims that United States v. Miller is controlling, because a person has no expectation of privacy in any records they voluntarily hand over to a third party. The disclosure of identities and the billing records relied on in Smith easily distinguishes Carnivore=s pen register mode from the use of the telephone pen register. The Court in Smith pointed out that pen registers Adisclose only telephone numbers@ and that no identities were disclosed.12 The use of an e-mail address could disclose the identity of the user. Many e-mail addresses contain the users= name, initials, birthday, and other personal information. The pen register would therefore disclose the user=s identity to the agents. This was impossible with a telephonic pen register without looking through a phone directory, or a reverse lookup.13 Other e-mail addresses may disclose where the sender or recipient works, as well as their associations. For example, possible e-mail addresses could be [email protected]@ or [email protected].@ These would all be outside the realm of information the Court allowed to be gathered in Smith v. Maryland. 10 Carnivore Diagnostic Tool: Hearing before The Committee on the Judiciary of the US Senate, 106th Cong. 5 (2000) (statement of Donald M. Kerr, Asst. Dir., FBI Lab. Div.). 11 United States v. Miller, 425 U.S. 435, 442-44 (1976). 12 Smith v. Maryland, 442 U.S. 735, 741 (1979) (quoting United States v. New York Tel. Co., 434 U.S. 159, 167 (1977)). 13 A reverse lookup lists phone numbers in numerical sequence followed by the name of the residence or business the number is assigned to. 4 1 OKLA. J. L. & TECH. 2 (2003) (formerly 2003 OKJOLT Rev. 2) www.okjolt.org Proponents of Carnivore would argue that using one=s name for an e-mail address would be voluntarily disclosing that information to third parties, as in United States v. Miller. This voluntary revelation would disallow any reasonable Aexpectation of privacy.@ In Katz v. United States, the Supreme Court established a two-prong test. The Court held the person must exhibit an actual expectation of privacy. The Court further established the expectation Abe one that society is prepared to recognize as >reasonable.=@14 If the use of one=s name as an e-mail address is not considered to destroy the reasonable expectation of privacy, the Court would likely find that it is not Aone that society is prepared to recognize as >reasonable=@, and thus fail the two prong test of Katz. A reasonable expectation of privacy was also addressed by the Court in Smith. The Court reasoned that people have no expectation of privacy because numbers dialed are kept Afor making permanent recordsYthey see a list of their long distance (toll) calls on their monthly bills.@15 They are aware that they must send numbers to the telephone company in order to complete a call, or for other legitimate business purposes. The billing or legitimate business purpose argument is untrue for ISP=s. The billing for internet access is charged by number of hours of access, or by a flat monthly charge. The ISP does not keep a running total on the number and addresses of the sender or recipient. Further, there are many free e-mail services, such as Hotmail.com, that would not maintain records for billing purposes. However, this lack of billing records argument was attempted in Smith but failed to 14 Katz v. United States, 389 U.S. 347, 361 (1967).